Windows Process SID details

SID

SID (Security Identifiers) is the unique number that identifies the user, group, and computer account. When this account is created for the first time, a unique SID will be published for each account on the network. The internal process in Windows 2000 references the account SID instead of the account user or group name. If you create an account, delete the account, and then use the same user name to create another account, the new account will not have the permissions or permissions authorized to the previous account, the reason is that the account has different SID numbers. A security identifier is also called a Security ID or SID.
Role of SID
After the user passes the verification, the login process will give the user an access token, which is equivalent to the user's access to system resources. When the user attempts to access system resources, the access token is provided to Windows NT, then, Windows NT checks the access control list on the object you are attempting to access. If the user is allowed to access the object, Windows NT will assign the appropriate access permissions to the user.
The access token is provided by the login process when the user passes the verification. Therefore, to change the user's permissions, You need to log out and log on again to obtain the access token again.
SID number
If there are two users with the same SID, the two accounts will be identified as the same account. In principle, if the account is not added, the same SID will be generated, in general, SID is unique. It is determined by the computer name, current time, and the total CPU time consumed by the current user State thread to ensure its uniqueness.
A complete SID includes:
? Security description of users and groups
? 48-bit ID authority
? Revision
? Variable verification value Variable sub-authority values
Example: S-1-5-21-310440588-250036847-580389505-500
Let's analyze this important SID first. The first item S indicates that the string is SID; the second item is the SID version number. For 2000, this is 1; then the identifier authority of the identifier ), for accounts within 2000, the Authority is NT and the value is 5. Then represents a series of sub-authority. The first few items indicate the domain, and the last one indicates the account and group in the domain.
SID acquisition
Start-run-regedt32-HKEY_LOCAL_MACHINE \ SAM \ Domains \ Builtin \ Aliases \ Members, find the code for the local domain, after expanding, all the SID lists for the local account are obtained.
Many of the values are fixed. For example, the first 500-501 f416 hexadecimal format) is converted to in decimal format. This indicates that the system has a built-in administrator Account, and the-is converted to in decimal format, that is, the GUEST account. For details, refer to the list below.
This item can be fully controlled by system by default, which is why we need the Shell of a System Cmd, of course, if you have sufficient permissions, you can add the account you want to add.
Or use the Reg tool of Support Tools:
Reg query "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ProfileList
There is also a way to obtain the correspondence between SID and User Name:
1. Regedt32:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ ProfileList
2. At this time, you can see the SID value in the left-side window, and you can see the usernames associated with different SID in the right-side window ProfileImagePath,
For example, % SystemDrive % \ Documents ents and Settings \ Administrator. momo corresponds to the Administrator SID of the local machine.
% SystemDrive % \ Documents ents and Settings \ Administrator. domain this is the Administrator account of the corresponding domain
In addition, Microsoft's ResourceKit also provides the tool getsid, which is also included in the sysinternals toolkit. In fact, the principle is to read the registry value, which saves some trouble.
Generation of SID repetition
A unique SID is generated when you install the NT/2000 system. However, when you clone a machine using a software similar to Ghost, a SID is generated for different machines. A serious security problem occurs.
Similarly, duplicate SID causes many security issues for the peer network. In the peer network, the account is based on the SID plus a related identifier RID). If all workstations have the same SID, the first account generated on each workstation is the same, this poses a risk to the security of your folders and files.
At this time, a person creates a share in his NTFS partition and sets his/her own access, but in fact, the SID number of the other machine is the same as that of the user, and the user can also access this sharing at this time.
Resolution of SID repetition problem
The following tests are highly risky and use them with caution. I have already paid a terrible price!
Microsoft provides a tool in ResourceKit called SYSPREP, which can be used to generate a new SID number before cloning a workstation. Is his Parameter
This tool cannot run this command on DC, otherwise it will prompt
However, this tool does not completely generate new SID for all accounts. Instead, it targets two major accounts, Administrator and Guest. Other accounts still use the original SID.
The following is a test to obtain the SID of the Current Account:
S-1-5-21-2000478354-688789844-839522115
Run Sysprep and a prompt window appears:
Confirm that you need to restart later, and then the installation program needs to reset the computer name and administrator password, but you still need to enter the password of the original account when logging on.
After entering 2000, query the SID again and get:
S-1-5-21-759461550-145307086-515799519, found that SID has been changed, query the registry, found that the Registry has been all modified, of course, all modified ?.
In addition, sysinternals also provides a similar tool NTSID, which was later discovered to be a product for NT4. The interface is as follows:
He will not prompt about the unavailability of the DC, and then start to accept it. As a result, one of my DC crashes. After the restart, the system prompts "Security Account Manager initialization failed, the value provided to the identification code authority is invalid. The error status is 0XC0000084. Please press OK and restart to the Directory Service Restoration mode... ", even if you switch to the Directory Service Restoration mode, you cannot enter it any more!
I think I am brave enough to think about it. Fortunately, it is an additional DC, but the machine I use causes the system to be reinstalled. So I would like to remind you again that you must be careful when doing the above tests, it is best to test on an insignificant machine. Otherwise, I am not responsible for any problems ?. In addition, you have added the SID modification function to the console of the new version of Ghost Enterprise Edition. You have not tried it yet. If you are interested, you can try it yourself, but it should be the same in principle.
Before the article was published, I found a tool "Riprep" provided by Microsoft. This tool is mainly used for Remote Installation and requires simultaneous installation of applications. After installing a standard corporate desktop operating system and configuring applications and some desktop settings, the administrator can use Riprep to create an Image file from the standard corporate desktop system. This Image file not only includes custom application software, but also deletes the exclusive security ID and computer account of each desktop system. The administrator can place it on the Remote Installation server for the client to choose when it is remotely started. However, you must note that this tool can only be used on a single hard disk, single partition, and Professional machine.
The following is a list of the RID values at the end of the SID, which are in hexadecimal notation in parentheses:
Built-In Users
DOMAINNAME \ ADMINISTRATOR
S-1-5-21-917267712-1342860078-1792151419-500 (= 0x1F4)
DOMAINNAME \ GUEST
S-1-5-21-917267712-1342860078-1792151419-501 (= 0x1F5)
Built-In Global Groups
DOMAINNAME \ DOMAIN ADMINS
S-1-5-21-917267712-1342860078-1792151419-512 (= 0x200)
DOMAINNAME \ DOMAIN USERS
S-1-5-21-917267712-1342860078-1792151419-513 (= 0x201)
DOMAINNAME \ DOMAIN GUESTS
S-1-5-21-917267712-1342860078-1792151419-514 (= 0x202)
Built-In Local Groups
BUILTIN \ ADMINISTRATORS S-1-5-32-544 (= 0x220)
BUILTIN \ USERS S-1-5-32-545 (= 0x221)
BUILTIN \ GUESTS S-1-5-32-546 (= 0x222)
BUILTIN \ account operators S-1-5-32-548 (= 0x224)
BUILTIN \ server operators S-1-5-32-549 (= 0x225)
BUILTIN \ print operators S-1-5-32-550 (= 0x226)
BUILTIN \ backup operators S-1-5-32-551 (= 0x227)
BUILTIN \ REPLICATOR S-1-5-32-552 (= 0x228)
Special Groups
\ Creator owner S-1-3-0
S-1-1-0 \ EVERYONE
Nt authority \ NETWORK S-1-5-2
Nt authority \ INTERACTIVE S-1-5-4
Nt authority \ SYSTEM S-1-5-18
Nt authority \ authenticated users S-1-5-11 *.